Project

General

Profile

Actions
Copy link

Bug #19153

closed

Since 2.7.7 CGI::Cookie raises ArgumentError when cookie domains is prefixed with a dot

Added by cpinto (Celso Pinto) over 2 years ago. Updated about 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [arm64-darwin22]
Backport:
2.7: REQUIRED, 3.0: REQUIRED, 3.1: DONE
[ruby-core:111022]

Description

The rspec tests of our Rails app started failing with an ArgumentError after upgrading to 2.7.7. On inspection, the issue seems to be caused by CGI::Cookie.domain=:

def domain=(str)
      if str and ((str = str.b).bytesize > 255 or !DOMAIN_VALUE_RE.match?(str))
        raise ArgumentError, "invalid domain: #{str.dump}"
      end
      @domain = str
    end

Setting a breakpoint:

0> str
=> ".example.com"

0> DOMAIN_VALUE_RE
=> /\A(?(?!-)[-A-Za-z0-9]+(?<!-))(?:.\g)*\z/

0> DOMAIN_VALUE_RE.match?(str)
=> false

0> DOMAIN_VALUE_RE.match?('example.com')
=> true

Actions
Copy link
 #1 [ruby-core:111023]

Updated by mame (Yusuke Endoh) over 2 years ago

This issue is discussed at https://github.com/ruby/cgi/pull/29 .

As I wrote in https://github.com/ruby/cgi/pull/29#issuecomment-1325852303, RFC 6265 prohibits leading dot for Cookie domain. However, the old spec of Cookie (RFC 2109) required the leading dot. I think it is reasonable to allow leading dots.

@akr (Akira Tanaka) @naruse (Yui NARUSE) What do you think?

Actions
Copy link
 #2 [ruby-core:111033]

Updated by hsbt (Hiroshi SHIBATA) over 2 years ago

FYI: https://github.com/ruby/cgi/pull/29#issuecomment-1328487556

I released cgi-0.3.6 for this issue. Can you try it with adding "cgi", ">= 0.3.6" in your Gemfile?

Actions
Copy link
 #3 [ruby-core:111034]

Updated by mame (Yusuke Endoh) over 2 years ago

mame (Yusuke Endoh) wrote in #note-1:

As I wrote in https://github.com/ruby/cgi/pull/29#issuecomment-1325852303, RFC 6265 prohibits leading dot for Cookie domain. However, the old spec of Cookie (RFC 2109) required the leading dot. I think it is reasonable to allow leading dots.

Just for the record: it looks like RFC 6265 allows a leading dot. See https://github.com/ruby/cgi/pull/29#issuecomment-1328487556

Actions
Copy link
 #4

Updated by hsbt (Hiroshi SHIBATA) over 2 years ago

  • Status changed from Open to Closed
  • Backport changed from 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN to 2.7: REQUIRED, 3.0: REQUIRED, 3.1: REQUIRED
Actions
Copy link
 #5 [ruby-core:112543]

Updated by nagachika (Tomoyuki Chikanaga) about 2 years ago

  • Backport changed from 2.7: REQUIRED, 3.0: REQUIRED, 3.1: REQUIRED to 2.7: REQUIRED, 3.0: REQUIRED, 3.1: DONE

ruby_3_1 4141989b2aef2993bb19140a4be355d1c68b8be1 merged revision(s) 656f25987cf2885104d5b13c8d3f5b7d32f1b333,98074a57ca9f3169fe9da9af6c49b636d37db16f,745dcf5326ea2c8e2047a3bddeb0fbb7e7d07649,b335d899fff3cc22b022c9ee2ceb636d714bf1a7.

Actions
Copy link
 #6 [ruby-core:112544]

Updated by nagachika (Tomoyuki Chikanaga) about 2 years ago

Updated the bundled cgi to 0.3.6 on ruby_3_1 branch.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0